[Openswan Users] Openswan-2.4.4(Klips) - FC4-2.6.12 - xl2tpd-1.1.05 <-> XP SP2 - L2TP NAT
Paul Wouters
paul at xelerance.com
Thu Nov 23 20:13:59 EST 2006
On Wed, 22 Nov 2006, Ola Albertsson wrote:
> Hi I´ve got a few problems connecting a nated XP using l2tp. The connection is
> up and I can ping computers on the corporate lan but when I for example try to
> ssh to our database server I get time out, also samba shares doesn´t work. I
> get this error message: *ERROR: asynchronous network error report on eth0
> (sport=4500)
> *When browsing through the mailinglist I saw a recomendation to use
> leftnexthop, I´ve tried it but it doesn´t work.
Sounds like an MTU problem, try setting the external interface of your l2tp/ipsec
server to mtu 1400. Or else try:
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
if that fails, just hardcode it:
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1440
> I had no problems when I had another gw with RedHat 9 2.4.20-30.9 and
> Openswan-2.1.4 I´ve tried the same ipsec.conf configuration that I had on that
> computer with no success.
That network is apaprnetly different. My guess is that the network without
problems is not consumer cable/dsl, but this problematic one is.
> overridemtu=1300
Note that only works for KLIPS, not NETKEY.
> /var/log/messages on our database server to which I tried to ssh
> Nov 21 22:15:13 systemq sshd[27965]: fatal: Timeout before authentication for
> ::ffff:192.168.31.34
>
> 192.168.31.34 is the local ip of the Openswan GW... shouldn´t the ip I get
> from PPP(192.168.31.36) be listed as the From adress??
Yes. Perhaps it is also doing NAT?
Paul
--
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
More information about the Users
mailing list